Upload
khangminh22
View
0
Download
0
Embed Size (px)
Citation preview
www.ijsetr.com
ISSN 2319-8885
Vol.04,Issue.18,
June-2015,
Pages:3464-3470
Copyright @ 2015 IJSETR. All rights reserved.
Implementation of New Security Primitive using Captcha As Graphical
Passwords Based On Hard AI Problems M. MOHAMMED IMRAN
1, K. GOVARDHAN REDDY
2
1PG Scholar, Dept of CSE, Kottam Karunakara Reddy Institute of Technology, Kurnool, AP, India,
Email: [email protected]. 2Professor, Dept of CSE, Kottam Karunakara Reddy Institute of Technology, Kurnool, AP, India.
Abstract: Many security primitives are based on hard mathematical problems. Using hard AI problems for security is emerging
as an exciting new paradigm, but has been under-explored. In this paper, we present a new security primitive based on hard AI
problems, namely, a novel family of graphical password systems built on top of Captcha technology, which we call Captcha as
graphical passwords (CaRP). CaRP is both a Captcha and a graphical password scheme. CaRP addresses a number of security
problems altogether, such as online guessing attacks, relay attacks, and, if combined with dual-view technologies, shoulder-
surfing attacks. Notably, a CaRP password can be found only probabilistically by automatic online guessing attacks even if the
password is in the search set. CaRP also offers a novel approach to address the well-known image hotspot problem in popular
graphical password systems, such as Pass Points, that often leads to weak password choices. CaRP is not a panacea, but it offers
reasonable security and usability and appears to fit well with some practical applications for improving online security.
Keywords: Graphical Password, Password, Hotspots, Carp, Captcha, Dictionary Attack, Password Guessing Attack.
I. INTRODUCTION A Captcha is a program that can generate and grade tests
that: (A) most humans can pass, but (B) current computer
programs can't pass. Such a program can be used to
differentiate humans from computers and has many
applications for practical security, including (but not limited
to):
Online Polls: In November 1999, slashdot.com released an
online poll asking which was the best graduate school in
computer science (a dangerous question to ask over the web)
As is the case with most online polls, IP addresses of voters
were recorded in order to prevent single users from voting
more than once. However, students at Carnegie Mellon found
a way to stuff the ballots by using programs that voted for
CMU thousands of times. CMU's score started growing
rapidly. The next day, students at MIT wrote their own
voting program and the poll became a contest between voting
\bots". MIT finished with 21,156 votes, Carnegie Mellon
with 21,032 and every other school with less than 1,000. Can
the result of any online poll be trusted? Not unless the poll
requires that only humans can vote.
Free Email Services: Several companies(Yahoo!, Microsoft,
etc.) offer free email services, most of which suffer from a
specific type of attack: \bots" that sign up for thousands of
email accounts every minute. This situation can be improved
by requiring users to prove they are human before they can
get a free email account. Yahoo!, for instance, uses a Captcha
of our design to prevent bots from registering for accounts.
Their Captcha asks users to read a distorted word such as the
one shown below (current computer programs are not as
good as humans at reading distorted text).
A. Lazy Cryptographers Doing AI
Note that from a mechanistic point of view, there is no
way to prove that a program cannot pass a test which a
human can pass, since there is a program |the human brain |
which passes the test. All we can do is to present evidence
that it's hard to write a program that can pass the test. In this
paper, we take an approach familiar to cryptographers:
investigate state-of-the-art algorithmic developments having
to do with some problem, assume that the adversary does not
have algorithms for that problem that are much better than
the state-of-the-art algorithms, and then prove a reduction
between passing a test and exceeding the performance of
state-of-the-art algorithms. In the case of ordinary
cryptography, it is assumed (for example) that the adversary
cannot factor 1024-bit integers in any reasonable amount of
time. In our case, we assume that the adversary cannot solve
an Artificial Intelligence problem with higher accuracy than
what's currently known to the AI community. This approach,
if it achieves widespread adoption, has the beneficial side
effect of inducing security researchers, as well as otherwise
malicious programmers, to advance the field of AI (much
like computational number theory has been advanced since
the advent of modern cryptography).
An important component of the success of modern
cryptography is the practice of stating, very precisely and
M. MOHAMMED IMRAN, K. GOVARDHAN REDDY
International Journal of Scientific Engineering and Technology Research
Volume.04, IssueNo.18, June-2015, Pages: 3464-3470
clearly, the assumptions under which cryptographic protocols
are secure. This allows the rest of the community to evaluate
the assumptions and to attempt to break them. In the case of
Artificial Intelligence, it's rare for problems to be precisely
stated, but using them for security purposes forces protocol
designers to do so. We believe that precisely stating unsolved
AI problems can accelerate the development of Artificial
Intelligence: most AI problems that have been precisely
stated and publicized have eventually been solved (take chess
as an example). For this reason it makes practical sense for
AI problems that are used for security purposes to also be
useful. If the under-lying AI problem is useful, a Captcha
implies a win-win situation: either the Captcha is not broken
and there is a way to differentiate humans from computers, or
the Captcha is broken and a useful AI problem is solved.
Such is not the case for most other cryptographic
assumptions: the primary reason algorithms for factoring
large numbers are useful is because factoring has applications
in cryptanalysis. In this paper we will present constructions
of Captcha based on certain AI problems and we will show
that solving the Captcha implies solving the AI problems.
The AI problems we chose have several applications, and we
will show that solutions to them can be used, among other
things, for steganography communication.
Computer security (Also known as cyber security or IT
Security) is information security as applied to computers and
networks. The field covers all the processes and mechanisms
by which computer-based equipment, information and
services are protected from unintended or unauthorized
access, change or destruction. Computer security also
includes protection from unplanned events and natural
disasters. Otherwise, in the computer industry, the term
security or the phrase computer security refers to techniques
for ensuring that data stored in a computer cannot be read or
compromised by any individuals without authorization. Most
computer security measures involve data encryption and
passwords. Data encryption is the translation of data into a
form that is unintelligible without a deciphering mechanism.
A password is a secret word or phrase that gives a
user access to a particular program or system.
Fig.1.
Diagram clearly explains the about the secure computing
Working conditions and basic needs in the secure computing:
If you don't take basic steps to protect your work computer,
you put it and all the information on it at risk. You can
potentially compromise the operation of other computers on
your organization's network, or even the functioning of the
network as a whole.
1. Physical Security: Technical measures like login
passwords, anti-virus are essential. (More about those
below) However, a secure physical space is the first and
more important line of defense. Is the place you keep your
workplace computer secure enough to prevent theft or access
to it while you are away? While the Security
Department provides coverage across the Medical center, it
only takes seconds to steal a computer, particularly a
portable device like a laptop or a PDA. A computer should
be secured like any other valuable possession when you are
not present. Human threats are not the only concern.
Computers can be compromised by environmental mishaps
(e.g., water, coffee) or physical trauma. Make sure the
physical location of your computer takes account of those
risks as well.
2. Access Passwords: The University's networks and shared
information systems are protected in part by login credentials
(user-IDs and passwords). Access passwords are also an
essential protection for personal computers in most
circumstances. Offices are usually open and shared spaces,
so physical access to computers cannot be completely
controlled. To protect your computer, you should consider
setting passwords for particularly sensitive applications
resident on the computer (e.g., data analysis software), if the
software provides that capability.
3. Prying Eye Protection: Because we deal with all facets of
clinical, research, educational and administrative data here on
the medical campus, it is important to do everything possible
to minimize exposure of data to unauthorized individuals.
4. Anti-Virus Software: Up-to-date, properly config-
ured anti-virus software is essential. While we have server-
side anti-virus software on our network computers, you still
need it on the client side (your computer).
5. Firewalls: Anti-virus products inspect files on your
computer and in email. Firewall software and hardware
monitor communications between your computer and the
outside world. That is essential for any networked computer.
6. Software Updates: It is critical to keep software up to
date, especially the operating system, anti-virus and anti-
spyware, email and browser software. The newest versions
will contain fixes for discovered vulnerabilities. Almost all
anti-virus have automatic update features (including SAV).
Keeping the "signatures" (digital patterns) of malicious
software detectors up-to-date is essential for these products to
be effective.
7. Keep Secure Backups: Even if you take all these security
steps, bad things can still happen. Be prepared for the worst
by making backup copies of critical data, and keeping those
backup copies in a separate, secure location. For example,
use supplemental hard drives, CDs/DVDs, or flash drives to
store critical, hard-to-replace data.
Implementation of New Security Primitive using Captcha As Graphical Passwords Based On Hard Ai Problems
International Journal of Scientific Engineering and Technology Research
Volume.04, IssueNo.18, June-2015, Pages: 3464-3470
8. Report Problems: If you believe that your computer or
any data on it has been compromised, your should make
a information security incident report. That is required
by University policy for all data on our systems, and legally
required for health, education, financial and any other kind of
record containing identifiable personal information.
II. AI PROBLEMS AS SECURITY PRIMITIVES
Notice that we define hard in terms of the consensus of a
community: an AI problem is said to be hard if the people
working on it agree that it's hard. This notion should not be
surprising to cryptographers: the security of most modern
cryptosystems is based on assumptions agreed upon by the
community (e.g., we assume that 1024-bit integers can't be
factored). The concept of a hard AI problem as a
foundational assumption, of course, is more questionable
than P ≠ NP, since many people in the AI community agree
that all hard AI problems are eventually going to be solved.
However, hard AI problems may be a more reasonable
assumption than the hardness of factoring, given the
possibility of constructing a quantum computer. Moreover,
even if factoring is shown to be hard in an asymptotic sense,
picking a concrete value for the security parameter usually
means making an assumption about current factoring
algorithms: we only assume that current factoring algorithms
that run in current computers can't factor 1024-bit integers. In
the same way that AI researchers believe that all AI problems
will be solved eventually, we believe that at some point we
will have the computational power and algorithmic ability to
factor 1024-bit integers. (Shamir and for instance, have
proposed a machine that could factor 1024-bit integers; the
machine would cost about ten million dollars in materials.)
An important difference between popular cryptographic
primitives and AI problems is the notion of a security
parameter. If we believe that an adversary can factor 1024-bit
integers, we can use 2048-bit integers instead. No such
concept exists in hard AI problems. AI problems, as we have
defined them, do not deal with asymptotic. However, as long
as there is a small gap between human and computer ability
with respect to some problem, this problem can potentially be
used as a primitive for security: rather than asking the prover
to solve the problem once, we can ask it to solve the problem
twice. If the prover gets good at solving the problem twice,
we can ask it to solve the problem three times, etc. There is
an additional factor that simplifies the use of hard AI
problems as security primitives. Most applications of
Captcha require the tests to be answered within a short time
after they are presented. If a new program solves the hard AI
problems that are currently used, then a different set of
problems can be used, and the new program cannot affect the
security of applications that were run before it was
developed. Compare this to encryption schemes: in many
applications the information that is encrypted must remain
confidential for years, and therefore the underlying problem
must be hard against programs that run for a long time, and
against programs that will be developed in the future. We
also note that not all hard AI problems can be used to
construct a Captcha.
In order for an AI problem to be useful for security
purposes, there needs to be an automated way to generate
problem instances along with their solution. The case is
similar for computational problems: not all hard
computational problems yield cryptographic primitives.
Our definitions imply that an adversary attempting to write a
program that has high success over a Captcha knows exactly
how the Captcha works. The only piece of information that is
hidden from the adversary is a small amount of randomness
that the verifier uses in each interaction. This choice greatly
affects the nature of our definitions and makes the problem of
creating Captcha more challenging. Imagine an Automated
Turing Test that owns a large secret book written in English
and to test an entity A it either picks a paragraph from its
secret book or generates a paragraph using the best known
text-generation algorithm, and then asks A whether the
paragraph makes sense (the best text-generation algorithms
cannot produce an entire para-graph that would make sense
to a human being). Such an Automated Turing Test might be
able to distinguish humans from computers (it is usually the
case that the best text-generation algorithms and the best
algorithms that try to determine whether something makes
sense are tightly related). However, this test cannot be a
Captcha: an adversary with knowledge of the secret book
could achieve high success against this test without
advancing the algorithmic state of the art. We do not allow
Captcha to base their security in the secrecy of a database or
a piece of code.
III. IMPLEMENTATION
A. Modules
Graphical Password
Captcha in Authentication
Overcoming Thwart Guessing Attacks
Security of Underlying Captcha
1. Graphical Password: In this module, Users are having
authentication and security to access the detail which is
presented in the Image system. Before accessing or searching
the details user should have the account in that otherwise
they should register first.
2. Captcha in Authentication: In this module we use both
Captcha and password in a user authentication protocol,
which we call Captcha-based Password Authentication
(CbPA) protocol, to counter online dictionary attacks. The
CbPA-protocol in requires solving a Captcha challenge after
inputting a valid pair of user ID and password unless a valid
browser cookie is received. For an invalid pair of user ID and
password, the user has a certain probability to solve a
Captcha challenge before being denied access.
3. Overcoming Thwart Guessing Attacks: In a guessing
attack, a password guess tested in an unsuccessful trial is
determined wrong and excluded from subsequent trials. The
number of undetermined password guesses decreases with
more trials, leading to a better chance of finding the
password. To counter guessing attack, traditional approaches
in designing graphical passwords aim at increasing the
effective password space to make passwords harder to guess
and thus require more trials. No matter how secure a
graphical password scheme is, the password can always be
found by a brute force attack. In this paper, we distinguish
two types of guessing attacks: automatic guessing attacks
M. MOHAMMED IMRAN, K. GOVARDHAN REDDY
International Journal of Scientific Engineering and Technology Research
Volume.04, IssueNo.18, June-2015, Pages: 3464-3470
apply an automatic trial and error process but S can be
manually constructed whereas human guessing attacks apply
a manual trial and error process.
4.Security of Underlying Captcha: Computational intract-
ability in recognizing objects in CaRP images is fundamental
to CaRP. Existing analyses on Captcha security were mostly
case by case or used an approximate process. No theoretic
security model has been established yet. Object segmentation
is considered as a computationally expensive, combinatorial-
hard problem, which modern text Captcha schemes rely on.
Fig.2. User Registration.
Fig.3. Admin Login.
Fig.4. Admin Activating User.
Fig.5. User Login (enter user name).
Fig.6. User Login (enter password & Captcha code).
Fig.7. User Upload (click image & upload).
Implementation of New Security Primitive using Captcha As Graphical Passwords Based On Hard Ai Problems
International Journal of Scientific Engineering and Technology Research
Volume.04, IssueNo.18, June-2015, Pages: 3464-3470
Fig.8. User Download.
Fig.9. User Download (click image & download).
Fig.10. If you click invalid coordinates.
Fig.11. When you click correct coordinates.
Fig.12. File downloading.
Fig.13. Viewing Downloaded File.
M. MOHAMMED IMRAN, K. GOVARDHAN REDDY
International Journal of Scientific Engineering and Technology Research
Volume.04, IssueNo.18, June-2015, Pages: 3464-3470
Fig.14. When user login if he entered invalid Captcha
code means your account will be blocked and alert will
come to your registered mail.
Fig.15. Admin activating blocked user.
IV. CONCLUSION
We have proposed CaRP, a new security primitive
relying on unsolved hard AI problems. CaRP is both a
Captcha and a graphical password scheme. The notion of
CaRP introduces a new family of graphical passwords, which
adopts a new approach to counter online guessing attacks: a
new CaRP image, which is also a Captcha challenge, is used
for every login attempt to make trials of an online guessing
attack computationally independent of each other. A
password of CaRP can be found only probabilistically by
automatic online guessing attacks including brute-force
attacks, a desired security property that other graphical
password schemes lack. Hotspots in CaRP images can no
longer be exploited to mount automatic online guessing
attacks, an inherent vulnerability in many graphical password
systems. CaRP forces adversaries to resort to significantly
less efficient and much more costly human-based attacks. In
addition to offering protection from online guessing attacks,
CaRP is also resistant to Captcha relay attacks, and, if
combined with dual-view technologies, shoulder-surfing
attacks. CaRP can also help reduce spam emails sent from a
Web email service.
Our usability study of two CaRP schemes we have
implemented is encouraging. For example, more participants
considered Animal Grid and Click Text easier to use than
Pass Points and a combination of text password and Captcha.
Both Animal Grid and Click Text had better password memo
ability than the conventional text passwords. On the other
hand, the usability of CaRP can be further improved by using
images of different levels of difficulty based on the login
history of the user and the machine used to log in. The
optimal tradeoff between security and usability remains an
open question for CaRP, and further studies are needed to
refine CaRP for actual deployments. Like Captcha, CaRP
utilizes unsolved AI problems. However, a password is much
more valuable to attackers than a free email account that
Captcha is typically used to protect. Therefore there are more
incentives for attackers to hack CaRP than Captcha. That is,
more efforts will be attracted to the following win-win game
by CaRP than ordinary Captcha: If attackers succeed, they
contribute to improving AI by providing solutions to open
problems such as segmenting 2D texts. Otherwise, our
system stays secure, contributing to practical security. As a
framework, CaRP does not rely on any specific Captcha
scheme. When one Captcha scheme is broken, a new and
more secure one may appear and be converted to a CaRP
scheme. Overall, our work is one step forward in the
paradigm of using hard AI problems for security. Of
reasonable security and usability and practical applications,
CaRP has good potential for refinements, which call for
useful future work. More importantly, we expect CaRP to
inspire new inventions of such AI based security primitives.
V. REFERENCES
[1] R. Biddle, S. Chiasson, and P. C. van Oorschot,
“Graphical passwords: Learning from the first twelve years,”
ACM Comput. Surveys, vol. 44, no. 4, 2012.
[2] (2012, Feb.). The Science Behind Pass faces [Online].
Available:http://www.realuser.com/published/ScienceBehind
Passfaces.pdf.
[3] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A.
Rubin, “The design and analysis of graphical passwords,” in
Proc. 8th USENIX Security Symp., 1999, pp. 1–15.
[4] H. Tao and C. Adams, “Pass-Go: A proposal to improve
the usability of graphical passwords,” Int. J. Netw. Security,
vol. 7, no. 2, pp. 273–292, 2008.
[5] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and
N. Memon, “Pass Points: Design and longitudinal evaluation
of a graphical password system,” Int. J. HCI, vol. 63, pp.
102–127, Jul. 2005.
[6] P. C. van Oorschot and J. Thorpe, “On predictive models
and user drawn graphical passwords,” ACM Trans. Inf. Syst.
Security, vol. 10, no. 4, pp. 1–33, 2008.
[7] K. Golofit, “Click passwords under investigation,” in
Proc. ESORICS, 2007, pp. 343–358.
[8] A. E. Dirik, N. Memon, and J.-C. Birget, “Modeling user
choice in the pass point’s graphical password scheme,” in
Proc. Symp. Usable Privacy Security, 2007, pp. 20–28.
Implementation of New Security Primitive using Captcha As Graphical Passwords Based On Hard Ai Problems
International Journal of Scientific Engineering and Technology Research
Volume.04, IssueNo.18, June-2015, Pages: 3464-3470
[9] J. Thorpe and P. C. van Oorschot, “Human-seeded attacks
and exploiting hot spots in graphical passwords,” in Proc.
USENIX Security, 2007, pp. 103–118.
[10] P. C. van Oorschot, A. Salehi-Abari, and J. Thorpe,
“Purely automated attacks on pass points-style graphical
passwords,” IEEE Trans. Inf. Forensics Security, vol. 5, no.
3, pp. 393–405, Sep. 2010.
[11] P. C. van Oorschot and J. Thorpe, “Exploiting
predictability in click based graphical passwords,” J.
Comput. Security, vol. 19, no. 4, pp. 669–702, 2011.
[12] T. Wolverton. (2002, Mar. 26). Hackers Attack eBay
Accounts [Online]. Available: http://www.zdnet.co.uk/
news/networking/2002/03/26/hackers-attack-ebay-accounts-
2107350/.